CVE-2023-51676: 
WordPress vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the Leevio Happy Addons for Elementor WordPress plugin, identified as CVE-2023-51676. The vulnerability affects versions up to 3.9.1.1 and was discovered by Yuchen Ji, with public disclosure occurring on December 27, 2023 (Patchstack, WPScan).

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and received varying CVSS scores. The NVD assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while Patchstack rated it at 4.9 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers with contributor-level access or higher to make web requests to arbitrary locations originating from the web application. This can potentially be exploited to query and modify information from internal services (WPScan).

The vulnerability has been fixed in version 3.10.0 of the Happy Addons for Elementor plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).